UnPPP v1.00
by BoB
Created 27.07.2007


Description

This plugin will extract a file packed with Personal Private Packer (PPP) v1.0.2 ..
It is a static unpacker, so don't worry about unpacking malware.

What does the packer do?
PPP packs the target file using aPLib, then encrypts using lame ror / xor ..
The packer then inserts the target file into the resource section of a stub exe..

What does the stub do?
The stub finds the file in rsrc section, decrypts it and then unpacks to mem.
Then, the stub re-runs itself using CreateProcess and overwrites the loaded file with
the unpacked file.. Finally the embedded malware is run by setting the context and resuming..

What does the unpacker do?
It loads the packed file into memory, and finds the packed file in the rsrc section.
Now we decrypt it and finally, we use aPLib to unpack the data!

This packer is generally only used to hide malware..
At no time is the target program run, so is perfectly safe to use on suspicious files..

Interesting note:
The PPP.exe (the packer) contains a rsrc called CMDLINE .. This is a 19k console program that
does the actual work .. I'm not entirely sure why the PPP.exe is 920k bigger though .. ;)


Usage:
Simply run the plugin from PEiD and the plugin will unpack the file and save it as Unpacked.EXE in target directory ..

The extracted file is saved into the same directory as the target ..



Signature

[Private Personal Packer (PPP) v1.0.2 --> ConquestOfTroy.com]
signature = E8 17 00 00 00 E8 68 00 00 00 FF 35 2C 37 00 10 E8 ED 01 00 00 6A 00 E8 2E 04 00 00 E8 41 04 00 00 A3 74 37 00 10 6A 64 E8 5F 04 00 00 E8 30 04 00 00 A3 78 37 00 10 6A 64 E8 4E 04 00 00 E8 1F 04 00 00 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 00 00 00 73 07 6A 00 E8 D9 03 00 00 C3 6A 0A 6A 07 6A 00
ep_only = true

Just add this to your UserDB.TXT to detect PPP v1.0.2 encrypted files..


History

Version 1.00 - 27-Jul-2007
     o   Unpacks PPP v1.0.2 (and maybe more, I have no other files to test)


Info

Greets to: sowhat-x, snaker, Jibz & Qwerton, Jupiter, BuLLeT, Jeremy Collake, _pusher_, dila, mr Haggar, Fly and all peeps on PEiD forum

Comments? Bugs?    You look like Jessica Alba? ;)    Email : BobSoft@GMail.com

For more plugins see my plugins site - Hosted by BuLLeT (Thanks!)

Thanks again to whoever invented coffee, without which I would never get anything done.. ;)

~ A program without bugs has either too few users, or too few uses ~